Description
In the Linux kernel, the following vulnerability has been resolved:

bpf: Fix bpf_xdp_store_bytes proto for read-only arg

While making some maps in Cilium read-only from the BPF side, we noticed
that the bpf_xdp_store_bytes proto is incorrect. In particular, the
verifier was throwing the following error:

; ret = ctx_store_bytes(ctx, l3_off + offsetof(struct iphdr, saddr),
&nat->address, 4, 0);
635: (79) r1 = *(u64 *)(r10 -144) ; R1=ctx() R10=fp0 fp-144=ctx()
636: (b4) w2 = 26 ; R2=26
637: (b4) w4 = 4 ; R4=4
638: (b4) w5 = 0 ; R5=0
639: (85) call bpf_xdp_store_bytes#190
write into map forbidden, value_size=6 off=0 size=4

nat comes from a BPF_F_RDONLY_PROG map, so R3 is a PTR_TO_MAP_VALUE.
The verifier checks the helper's memory access to R3 in
check_mem_size_reg, as it reaches ARG_CONST_SIZE argument. The third
argument has expected type ARG_PTR_TO_UNINIT_MEM, which includes the
MEM_WRITE flag. The verifier thus checks for a BPF_WRITE access on R3.
Given R3 points to a read-only map, the check fails.

Conversely, ARG_PTR_TO_UNINIT_MEM can also lead to the helper reading
from uninitialized memory.

This patch simply fixes the expected argument type to match that of
bpf_skb_store_bytes.
Published: 2026-05-27
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Linux kernel verifier incorrectly interpreted the arguments for the bpf_xdp_store_bytes helper, treating a data store operation in a read‑only BPF map as a writable access. This caused legitimate BPF programs that need to write to read‑only maps to be rejected by the verifier. The patch corrects the helper prototype to match bpf_skb_store_bytes so that the verifier properly identifies the operation as a write to a permissible memory location, restoring normal functionality for these programs. No evidence is provided that the flaw could be leveraged for privilege escalation or memory corruption.

Affected Systems

The issue exists in any Linux kernel that implements the buggy bpf_xdp_store_bytes prototype until the kernel is updated with the 2026‑45886 fix. This applies to all vendor distributions shipping the affected kernel source. Specific version ranges are not listed in the advisories; users should consult kernel changelogs that include the patch.

Risk and Exploitability

Because the flaw is limited to the verification of BPF helper arguments, there is no known direct exploit path or active exploitation. EPSS data are not available and the vulnerability is not listed in the CISA KEV catalog. The impact is therefore largely operational, resulting in denial of service to applications that rely on BPF programs that attempt to write to read‑only maps. The risk of exploitation is considered low based on the current public information.

Generated by OpenCVE AI on May 27, 2026 at 16:44 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the kernel to a version that contains the CVE-2026-45886 fix
  • Ensure that any custom BPF programs are designed around the updated prototype to avoid verifier rejection
  • Consult distribution security advisories for specific patched kernel releases

Generated by OpenCVE AI on May 27, 2026 at 16:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 27 May 2026 17:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-704

Wed, 27 May 2026 14:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: bpf: Fix bpf_xdp_store_bytes proto for read-only arg While making some maps in Cilium read-only from the BPF side, we noticed that the bpf_xdp_store_bytes proto is incorrect. In particular, the verifier was throwing the following error: ; ret = ctx_store_bytes(ctx, l3_off + offsetof(struct iphdr, saddr), &nat->address, 4, 0); 635: (79) r1 = *(u64 *)(r10 -144) ; R1=ctx() R10=fp0 fp-144=ctx() 636: (b4) w2 = 26 ; R2=26 637: (b4) w4 = 4 ; R4=4 638: (b4) w5 = 0 ; R5=0 639: (85) call bpf_xdp_store_bytes#190 write into map forbidden, value_size=6 off=0 size=4 nat comes from a BPF_F_RDONLY_PROG map, so R3 is a PTR_TO_MAP_VALUE. The verifier checks the helper's memory access to R3 in check_mem_size_reg, as it reaches ARG_CONST_SIZE argument. The third argument has expected type ARG_PTR_TO_UNINIT_MEM, which includes the MEM_WRITE flag. The verifier thus checks for a BPF_WRITE access on R3. Given R3 points to a read-only map, the check fails. Conversely, ARG_PTR_TO_UNINIT_MEM can also lead to the helper reading from uninitialized memory. This patch simply fixes the expected argument type to match that of bpf_skb_store_bytes.
Title bpf: Fix bpf_xdp_store_bytes proto for read-only arg
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-27T12:16:58.000Z

Reserved: 2026-05-13T15:03:33.082Z

Link: CVE-2026-45886

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-27T14:17:02.567

Modified: 2026-05-27T14:48:31.480

Link: CVE-2026-45886

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T18:00:14Z

Weaknesses